When most of us sign up with an antivirus company, we expect to get total protection from online and offline threats. This includes viruses, hacking and data theft. But, what if we told you that software like the Avast free antivirus actually collect your browsing history in order to sell it to advertising companies?
That’s exactly what Avast was found doing with its browser extensions. Of course, Avast tried to justify their actions by brushing it off as anonymous information. But the truth is that most of the information they collected did contain users’ personal data.
Initially, Avast tried to reassure its users. It said that the data is aggregated and diluted so as to eliminate any and all possibility of personal identification or targeting. This is the official story that was given to users who initially agreed to the data sharing because Avast has to make money somehow, right?
There’s a problem with that story. Marketers that Avast was selling the information to could still pick the information apart. They could use it to reach the individual users from which it emanated. This is according to an investigation report on the story by Motherboard and PCMag.
De-Identification Failure
Apparently, the Avast free antivirus has been harvesting and selling user data through a dedicated subsidiary called Jumpshot. This offers access to user information through a database of over 100 million devices including smartphones and PCs.
This gives their clientele, which is made up of e-commerce operators and big brands, the opportunity to study customer behavior. This includes their buying habits. They can tell if you clicked on an Instagram or news article ad or if you found a website through Amazon and Google search. It’s that deep.
The information is so detailed and nuanced that the clients can even break it down to individual clicks per browsing session. Now, the Avast free antivirus can argue that user credentials like IP address, email or personal names are never displayed. But their clients can still access your device ID which remains on their system until you actually uninstall the Avast free antivirus from your device.
The Dangers of Spying on Clicks
What’s in a click? There’s no way to track it back to the original user, right? Wrong. Unfortunately, companies like Amazon have the resources to determine the exact details of users who click on their website, down to the time, date and device used.
All of this information is determined from a simple user ID. This is just the tip of the iceberg when compared to the level of user information that Jumpshot exposed through a simple click.
How Did Motherboard and PCMag Find Out?
Motherboard and PCMag initially discovered Avast’s foul play through a source that was otherwise acquainted with Jumpshort products. According to experts consulted during the investigation, Jumpshot and its clients could easily determine user identity through URLs, device IDs, and timestamp information.
One privacy researcher states that the firm’s ability to combine extrapolated data offers an opportunity to de-anonymize data. Companies like Google and Amazon have been collecting user data through user activity logs for years. Jumpshot provided yet another opportunity for companies to trace people’s digital footprints.
While it can be argued that the information provided by Jumpshot is not designed to provide personal identification, companies can use creative methods to extrapolate different data sets to determine user identity.
All Clicks Feed
Avast free antivirus’ internal documents show that Jumpshot’s product catalog consists of browser data collections. This includes user searchers such as chosen results and the keywords used.
A simple sample of the collected data shows entire logs that include mundane searches for things like celebrity birthdays and the latest movies. But, next to that were also porn searches that people wouldn’t want to be associated with.
Also included in the Jumpshot product catalog is the ability to track user activity on platforms like Instagram, Facebook, and YouTube. Another aspect of their service is based on analyzing particular e-commerce domains to provide a better understanding of user reactions to certain products and/or services.
The Omnicom Contract
It appears that Jumpshot can offer a more comprehensive package as well, which includes an amalgamation of everything. Records show that in December 2019, Jumpshot provided a marketing provider called Omnicom Media Group with a “All Clicks Feed” contract that includes each and every click made by Avast free antivirus users.
Usually, this package excludes device IDs in a bid to protect user identity. But in Omnicom’s case, Jumpshot included device ID with every click collected. This is according to the contract specifications.
Not only that, but the contract between Omnicom and Jumpshot required the latter to provide detailed user information. This includes gender, age, website URL string, specific timestamps, and even the referring URL.
The contract doesn’t specify why Omnicom wants or needs the data. They refused to answer any of the investigator’s questions. But, this contract is proof that Jumpshot clients can identify individual users by going through the data provided.
Omnicom receives the information it gets from Jumpshot through its own subsidiary called Annalect. This is a technology solutions firm designed to combine third-party data with a company’s customer information. The contract that Omnicon has with Jumpshot started in January 2019 and is set to last for three years. During this time, Jumpshot is to provide the clickstream data of up to 14 markets to Omnicon to the tune of $6.5 million. The specified markets include the UK, India and the US.
Conclusion
The Jumpshot website shows that they’ve worked with some heavy hitters in the past, including Google, Microsoft, and IBM. But, when reached for comment both Microsoft and IBM denied any involvement or association with Jumpshot or Avast free antivirus. On the other hand, Google simply ignored the request for comment.
Jumpshot does mention other clients like Intuit, Kimberly-Clark, Nestle Purina, and Unilever. The market research also revealed clientele that includes GfK and McKinsey & Company both of which are respected consulting firms. Both companies declined to comment on their involvement with Jumpshot. While there is no conclusive evidence to reveal other client relationships, certain documents show that Jumpshot may have approached certain venture capital firms as well.
Have you ever used the Avast free antivirus? If so, what are your thoughts on this scandal? Sound off in the comments below. We love hearing from you!
